[....] Starting enhanced syslogd: rsyslogd[ 14.391926] audit: type=1400 audit(1549216158.417:4): avc: denied { syslog } for pid=1928 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.6' (ECDSA) to the list of known hosts. 2019/02/03 17:49:42 parsed 1 programs 2019/02/03 17:49:44 executed programs: 0 2019/02/03 17:49:49 executed programs: 173 syzkaller login: [ 45.941454] ================================================================== [ 45.948868] BUG: KASAN: use-after-free in disk_unblock_events+0x55/0x60 [ 45.955609] Read of size 8 at addr ffff8801cf3e40e8 by task blkid/3064 [ 45.962266] [ 45.963887] CPU: 1 PID: 3064 Comm: blkid Not tainted 4.4.172+ #13 [ 45.970103] 0000000000000000 020518365688c095 ffff8801d6c4f730 ffffffff81aacde1 [ 45.978157] 0000000000000000 ffffea00073cf800 ffff8801cf3e40e8 0000000000000008 [ 45.986218] 0000000000000000 ffff8801d6c4f768 ffffffff8148fedd 0000000000000000 [ 45.994300] Call Trace: [ 45.996895] [] dump_stack+0xc1/0x120 [ 46.002260] [] print_address_description+0x6f/0x21b [ 46.008919] [] kasan_report.cold+0x8c/0x2be [ 46.014886] [] ? disk_unblock_events+0x55/0x60 [ 46.021117] [] __asan_report_load8_noabort+0x14/0x20 [ 46.027865] [] disk_unblock_events+0x55/0x60 [ 46.033914] [] __blkdev_get+0x70c/0xdf0 [ 46.039537] [] ? __blkdev_put+0x840/0x840 [ 46.045326] [] ? trace_hardirqs_on+0x10/0x10 [ 46.051374] [] blkdev_get+0x2e8/0x920 [ 46.056810] [] ? bd_may_claim+0xd0/0xd0 [ 46.062423] [] ? bd_acquire+0x8a/0x370 [ 46.067958] [] ? _raw_spin_unlock+0x2d/0x50 [ 46.073920] [] blkdev_open+0x1aa/0x250 [ 46.079445] [] do_dentry_open+0x38f/0xbd0 [ 46.085246] [] ? __inode_permission2+0x9e/0x250 [ 46.091555] [] ? blkdev_get_by_dev+0x80/0x80 [ 46.097604] [] vfs_open+0x10b/0x210 [ 46.102891] [] ? may_open.isra.0+0xe7/0x210 [ 46.108854] [] path_openat+0x136f/0x4470 [ 46.114562] [] ? kasan_kmalloc.part.0+0xc6/0xf0 [ 46.120872] [] ? may_open.isra.0+0x210/0x210 [ 46.126927] [] ? trace_hardirqs_on+0x10/0x10 [ 46.132984] [] do_filp_open+0x1a1/0x270 [ 46.138608] [] ? user_path_mountpoint_at+0x50/0x50 [ 46.145191] [] ? __alloc_fd+0x1ea/0x490 [ 46.150809] [] ? _raw_spin_unlock+0x2d/0x50 [ 46.156776] [] do_sys_open+0x2f8/0x600 [ 46.162307] [] ? filp_open+0x70/0x70 [ 46.167662] [] ? retint_user+0x18/0x3c [ 46.173197] [] ? trace_hardirqs_on_caller+0x385/0x5a0 [ 46.180062] [] SyS_open+0x2d/0x40 [ 46.185170] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 46.191732] [ 46.193354] Allocated by task 3055: [ 46.196963] [] save_stack_trace+0x26/0x50 [ 46.202895] [] kasan_kmalloc.part.0+0x62/0xf0 [ 46.209197] [] kasan_kmalloc+0xb7/0xd0 [ 46.214858] [] kmem_cache_alloc_trace+0x123/0x2d0 [ 46.221516] [] alloc_disk_node+0x50/0x3c0 [ 46.227441] [] alloc_disk+0x1b/0x20 [ 46.232851] [] loop_add+0x380/0x830 [ 46.238256] [] loop_probe+0x154/0x180 [ 46.243835] [] kobj_lookup+0x221/0x410 [ 46.249506] [] get_gendisk+0x3c/0x2e0 [ 46.255084] [] blkdev_get+0xf4/0x920 [ 46.260571] [] blkdev_open+0x1aa/0x250 [ 46.266253] [] do_dentry_open+0x38f/0xbd0 [ 46.272183] [] vfs_open+0x10b/0x210 [ 46.277586] [] path_openat+0x136f/0x4470 [ 46.283427] [] do_filp_open+0x1a1/0x270 [ 46.289181] [] do_sys_open+0x2f8/0x600 [ 46.294839] [] SyS_open+0x2d/0x40 [ 46.300072] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 46.306778] [ 46.308393] Freed by task 3064: [ 46.311662] [] save_stack_trace+0x26/0x50 [ 46.317581] [] kasan_slab_free+0xb0/0x190 [ 46.323502] [] kfree+0xf4/0x310 [ 46.328558] [] disk_release+0x255/0x330 [ 46.334295] [] device_release+0x7d/0x220 [ 46.340143] [] kobject_put+0x14c/0x260 [ 46.345803] [] put_disk+0x23/0x30 [ 46.351035] [] __blkdev_get+0x66c/0xdf0 [ 46.356787] [] blkdev_get+0x2e8/0x920 [ 46.362366] [] blkdev_open+0x1aa/0x250 [ 46.368032] [] do_dentry_open+0x38f/0xbd0 [ 46.373960] [] vfs_open+0x10b/0x210 [ 46.379371] [] path_openat+0x136f/0x4470 [ 46.385206] [] do_filp_open+0x1a1/0x270 [ 46.390948] [] do_sys_open+0x2f8/0x600 [ 46.396622] [] SyS_open+0x2d/0x40 [ 46.401853] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 46.408561] [ 46.410185] The buggy address belongs to the object at ffff8801cf3e3b80 [ 46.410185] which belongs to the cache kmalloc-2048 of size 2048 [ 46.423024] The buggy address is located 1384 bytes inside of [ 46.423024] 2048-byte region [ffff8801cf3e3b80, ffff8801cf3e4380) [ 46.435074] The buggy address belongs to the page: [ 46.440703] BUG: spinlock bad magic on CPU#0, syz-executor5/2120 [ 46.466332] ------------[ cut here ]------------ [ 46.466352] WARNING: CPU: 0 PID: 2120 at lib/debugobjects.c:260 debug_print_object+0x181/0x210() [ 46.466360] ODEBUG: deactivate not available (active state 0) object type: hrtimer hint: 0xffff8801cf3e4380 [ 46.466365] Kernel panic - not syncing: panic_on_warn set ... [ 46.466365] [ 46.466372] CPU: 0 PID: 2120 Comm: syz-executor5 Not tainted 4.4.172+ #13 [ 46.466383] 0000000000000000 e02b23f0497dc829 ffff8801db607a78 ffffffff81aacde1 [ 46.466390] ffff8801db607bc8 ffffffff82835ee0 ffffffff8292c440 0000000000000104 [ 46.466398] ffffffff81b0afe1 ffff8801db607b58 ffffffff813a46b2 0000000041b58ab3 [ 46.466400] Call Trace: [ 46.466413] [] dump_stack+0xc1/0x120 [ 46.466419] [] ? debug_print_object+0x181/0x210 [ 46.466428] [] panic+0x1b9/0x37b [ 46.466434] [] ? add_taint.cold+0x16/0x16 [ 46.466455] [] ? console_trylock+0x2c/0xc0 [ 46.466461] [] ? vprintk_emit+0x248/0x820 [ 46.466468] [] ? warn_slowpath_common.cold+0x5/0x20 [ 46.466492] [] warn_slowpath_common.cold+0x20/0x20 [ 46.466505] [] ? ktime_add_safe+0x140/0x140 [ 46.466517] [] warn_slowpath_fmt+0xbf/0x100 [ 46.466523] [] ? warn_slowpath_common+0x120/0x120 [ 46.466536] [] ? trace_hardirqs_on+0x10/0x10 [ 46.466542] [] debug_print_object+0x181/0x210 [ 46.466548] [] debug_object_deactivate+0x29f/0x360 [ 46.466553] [] ? debug_object_activate+0x470/0x470 [ 46.466560] [] ? ktime_get+0x126/0x1c0 [ 46.466582] [] ? clockevents_program_event+0x1c4/0x3f0 [ 46.466607] [] ? default_inquire_remote_apic+0x60/0x60 [ 46.466613] [] __hrtimer_run_queues+0x1bd/0xfc0 [ 46.466634] [] ? hrtimer_fixup_init+0x70/0x70 [ 46.466642] [] ? kvm_clock_get_cycles+0x9/0x10 [ 46.466648] [] ? hrtimer_interrupt+0x121/0x450 [ 46.466654] [] hrtimer_interrupt+0x1b6/0x450 [ 46.466661] [] local_apic_timer_interrupt+0x76/0xa0 [ 46.466671] [] smp_apic_timer_interrupt+0x79/0xb0 [ 46.466677] [] apic_timer_interrupt+0x9d/0xb0 [ 46.466687] [] ? dump_page+0x20/0x30 [ 46.466694] [] ? dump_page_badflags+0x56/0x70 [ 46.466700] [] ? dump_page+0x20/0x30 [ 46.466706] [] ? dump_page_badflags+0x56/0x70 [ 46.466712] [] ? dump_page+0x20/0x30 [ 46.466718] [] ? dump_page_badflags+0x56/0x70 [ 46.466724] [] ? dump_page+0x20/0x30 [ 46.466730] [] ? dump_page_badflags+0x56/0x70 [ 46.466736] [] ? dump_page+0x20/0x30 [ 46.466742] [] ? dump_page_badflags+0x56/0x70 [ 46.466748] [] ? dump_page+0x20/0x30 [ 46.466754] [] ? dump_page_badflags+0x56/0x70 [ 46.466760] [] ? dump_page+0x20/0x30 [ 46.466766] [] ? dump_page_badflags+0x56/0x70 [ 46.466772] [] ? dump_page+0x20/0x30 [ 46.466787] [] ? dump_page_badflags+0x56/0x70 [ 46.466798] [] ? dump_page+0x20/0x30 [ 46.466813] [] ? dump_page_badflags+0x56/0x70 [ 46.466829] [] ? _raw_spin_lock+0x40/0x50 [ 46.466844] [] ? dump_page+0x20/0x30 [ 46.466855] [] ? dump_page_badflags+0x56/0x70 [ 46.466861] [] ? dump_page+0x20/0x30 [ 46.466867] [] ? dump_page_badflags+0x56/0x70 [ 46.466901] [] ? dump_page+0x20/0x30 [ 46.466912] [] ? dump_page_badflags+0x56/0x70 [ 46.466918] [] ? dump_page+0x20/0x30 [ 46.466928] [] ? dump_page_badflags+0x56/0x70 [ 46.466939] [] ? dump_page+0x20/0x30 [ 46.466985] [] ? dump_page_badflags+0x56/0x70 [ 46.466991] [] ? dump_page+0x20/0x30 [ 46.467019] [] ? dump_page_badflags+0x56/0x70 [ 46.467024] [] ? dump_page+0x20/0x30 [ 46.467033] [] ? dump_page_badflags+0x56/0x70 [ 46.467043] [] ? dump_page+0x20/0x30 [ 46.467068] [] ? dump_page_badflags+0x56/0x70 [ 47.665289] Shutting down cpus with NMI [ 47.665643] Kernel Offset: disabled [ 48.097584] Rebooting in 86400 seconds..